[PATCH] Show correct path to vpnc-script in the man page

Mike Miller mtmiller at ieee.org
Thu Jun 7 11:58:30 EDT 2012


Insert the actual path to vpnc-script that is compiled into the
openconnect executable.

Signed-off-by: Mike Miller <mtmiller at ieee.org>
---

The vpnc-script path is different from the default under Debian so I
patched the man page to refer to that path instead.  This is a more
generic version of that patch, hope you can use it.

 Makefile.am      |    2 +-
 configure.ac     |    3 +-
 openconnect.8    |  323 ------------------------------------------------------
 openconnect.8.in |  323 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 326 insertions(+), 325 deletions(-)
 delete mode 100644 openconnect.8
 create mode 100644 openconnect.8.in

diff --git a/Makefile.am b/Makefile.am
index 62eaf1e..e9e24e2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,7 +31,7 @@ endif
 
 pkgconfig_DATA = openconnect.pc
 
-EXTRA_DIST = version.sh openconnect.8 COPYING.LGPL
+EXTRA_DIST = version.sh COPYING.LGPL
 
 DISTCLEANFILES = $(pkgconfig_DATA)
 
diff --git a/configure.ac b/configure.ac
index 61b21e3..c1bb531 100644
--- a/configure.ac
+++ b/configure.ac
@@ -53,6 +53,7 @@ elif test "$with_vpnc_script" = "no"; then
 fi
 
 AC_DEFINE_UNQUOTED(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}")
+AC_SUBST(DEFAULT_VPNCSCRIPT, "${with_vpnc_script}")
 
 case $host_os in
  *linux* | *gnu*)
@@ -390,4 +391,4 @@ done
 AC_SUBST(GITVERSIONDEPS)
 
 AC_OUTPUT(Makefile openconnect.pc po/Makefile www/Makefile libopenconnect.map \
-	  www/styles/Makefile www/inc/Makefile www/images/Makefile)
+	  openconnect.8 www/styles/Makefile www/inc/Makefile www/images/Makefile)
diff --git a/openconnect.8 b/openconnect.8
deleted file mode 100644
index bb47b38..0000000
--- a/openconnect.8
+++ /dev/null
@@ -1,323 +0,0 @@
-.TH OPENCONNECT 8
-.SH NAME
-openconnect \- Connect to Cisco AnyConnect VPN
-.SH SYNOPSIS
-.SY openconnect
-.OP \-\-config configfile
-.OP \-b,\-\-background
-.OP \-\-pid\-file pidfile
-.OP \-c,\-\-certificate cert
-.OP \-e,\-\-cert\-expire\-warning days
-.OP \-k,\-\-sslkey key
-.OP \-K,\-\-key\-type type
-.OP \-C,\-\-cookie cookie
-.OP \-\-cookie\-on\-stdin
-.OP \-d,\-\-deflate
-.OP \-D,\-\-no\-deflate
-.OP \-\-force\-dpd interval
-.OP \-g,\-\-usergroup group
-.OP \-h,\-\-help
-.OP \-i,\-\-interface ifname
-.OP \-l,\-\-syslog
-.OP \-U,\-\-setuid user
-.OP \-\-csd\-user user
-.OP \-m,\-\-mtu mtu
-.OP \-p,\-\-key\-password pass
-.OP \-P,\-\-proxy proxyurl
-.OP \-\-no\-proxy
-.OP \-\-libproxy
-.OP \-\-key\-password\-from\-fsid
-.OP \-\-key\-type type
-.OP \-q,\-\-quiet
-.OP \-Q,\-\-queue\-len len
-.OP \-s,\-\-script vpnc\-script
-.OP \-S,\-\-script\-tun
-.OP \-u,\-\-user name
-.OP \-V,\-\-version
-.OP \-v,\-\-verbose
-.OP \-x,\-\-xmlconfig config
-.OP \-\-authgroup group
-.OP \-\-cookieonly
-.OP \-\-printcookie
-.OP \-\-cafile file
-.OP \-\-disable\-ipv6
-.OP \-\-dtls\-ciphers list
-.OP \-\-no\-cert\-check
-.OP \-\-no\-dtls
-.OP \-\-no\-http\-keepalive
-.OP \-\-no\-passwd
-.OP \-\-non\-inter
-.OP \-\-passwd\-on\-stdin
-.OP \-\-reconnect\-timeout
-.OP \-\-servercert sha1
-.OP \-\-useragent string
-.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
-.YS
-
-.SH DESCRIPTION
-The program
-.B openconnect
-connects to Cisco "AnyConnect" VPN servers, which use standard TLS
-and DTLS protocols for data transport.
-
-The connection happens in two phases. First there is a simple HTTPS
-connection over which the user authenticates somehow \- by using a
-certificate, or password or SecurID, etc.  Having authenticated, the
-user is rewarded with an HTTP cookie which can be used to make the
-real VPN connection.
-
-The second phase uses that cookie in an HTTPS
-.I CONNECT
-request, and data packets can be passed over the resulting
-connection. In auxiliary headers exchanged with the
-.I CONNECT
-request, a Session\-ID and Master Secret for a DTLS connection are also
-exchanged, which allows data transport over UDP to occur.
-
-
-.SH OPTIONS
-.TP
-.B \-\-config=CONFIGFILE
-Read further options from
-.I CONFIGFILE
-before continuing to process options from the command line. The file
-should contain long-format options as would be accepted on the command line,
-but without the two leading \-\- dashes. Empty lines, or lines where the
-first non-space character is a # character, are ignored.
-
-Any option except the
-.B config
-option may be specified in the file.
-.TP
-.B \-b,\-\-background
-Continue in background after startup
-.TP
-.B \-\-pid\-file=PIDFILE
-Save the pid to
-.I PIDFILE
-when backgrounding
-.TP
-.B \-c,\-\-certificate=CERT
-Use SSL client certificate
-.I CERT
-.TP
-.B \-e,\-\-cert\-expire\-warning=DAYS
-Give a warning when SSL client certificate has
-.I DAYS
-left before expiry
-.TP
-.B \-k,\-\-sslkey=KEY
-Use SSL private key file
-.I KEY
-.TP
-.B \-C,\-\-cookie=COOKIE
-Use WebVPN cookie
-.I COOKIE
-.TP
-.B \-\-cookie\-on\-stdin
-Read cookie from standard input
-.TP
-.B \-d,\-\-deflate
-Enable compression (default)
-.TP
-.B \-D,\-\-no\-deflate
-Disable compression
-.TP
-.B \-\-force\-dpd=INTERVAL
-Use
-.I INTERVAL
-as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
-.TP
-.B \-g,\-\-usergroup=GROUP
-Use
-.I GROUP
-as login UserGroup
-.TP
-.B \-h,\-\-help
-Display help text
-.TP
-.B \-i,\-\-interface=IFNAME
-Use
-.I IFNAME
-for tunnel interface
-.TP
-.B \-l,\-\-syslog
-Use syslog for progress messages
-.TP
-.B \-U,\-\-setuid=USER
-Drop privileges after connecting, to become user
-.I USER
-.TP
-.B \-\-csd\-user=USER
-Drop privileges during CSD (Cisco Secure Desktop) script execution.
-.TP
-.B \-\-csd\-wrapper=SCRIPT
-Run
-.I SCRIPT
-instead of the CSD (Cisco Secure Desktop) script.
-.TP
-.B \-m,\-\-mtu=MTU
-Request
-.I MTU
-from server
-.TP
-.B \-p,\-\-key\-password=PASS
-Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
-.TP
-.B \-P,\-\-proxy=PROXYURL
-Use HTTP or SOCKS proxy for connection
-.TP
-.B \-\-no\-proxy
-Disable use of proxy
-.TP
-.B \-\-libproxy
-Use libproxy to configure proxy automatically (when built with libproxy support)
-.TP
-.B \-\-key\-password\-from\-fsid
-Passphrase for certificate file is automatically generated from the
-.I fsid
-of the file system on which it is stored. The
-.I fsid
-is obtained from the 
-.BR statvfs (2)
-or
-.BR statfs (2)
-system call, depending on the operating system. On a Linux or similar system
-with GNU coreutils, the
-.I fsid
-used by this option should be equal to the output of the command:
-.EX
-stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
-.EE
-It is not the same as the 128\-bit UUID of the file system.
-.TP
-.B \-\-key\-type=TYPE
-Type of private key file (PKCS#12, TPM or PEM)
-.TP
-.B \-q,\-\-quiet
-Less output
-.TP
-.B \-Q,\-\-queue\-len=LEN
-Set packet queue limit to
-.I LEN
-pkts
-.TP
-.B \-s,\-\-script=SCRIPT
-Invoke
-.I SCRIPT
-to configure the network after connection. Without this, routing and name
-service are unlikely to work correctly. The script is expected to be
-compatible with the
-.B vpnc\-script
-which is shipped with the "vpnc" VPN client. See
-.I http://www.infradead.org/openconnect/vpnc-script.html
-for more information. Unless OpenConnect was built in a non-standard way,
-the default is
-.B /etc/vpnc/vpnc-script
-.TP
-.B \-S,\-\-script\-tun
-Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
-tun/tap device. This allows the VPN IP traffic to be handled entirely in
-userspace, for example by a program which uses lwIP to provide SOCKS access
-into the VPN.
-.TP
-.B \-u,\-\-user=NAME
-Set login username to
-.I NAME
-.TP
-.B \-V,\-\-version
-Report version number
-.TP
-.B \-v,\-\-verbose
-More output
-.TP
-.B \-x,\-\-xmlconfig=CONFIG
-XML config file
-.TP
-.B \-\-authgroup=GROUP
-Choose authentication login selection
-.TP
-.B \-\-cookieonly
-Fetch webvpn cookie only; don't connect
-.TP
-.B \-\-printcookie
-Print webvpn cookie before connecting
-.TP
-.B \-\-cafile=FILE
-Cert file for server verification
-.TP
-.B \-\-disable\-ipv6
-Do not advertise IPv6 capability to server
-.TP
-.B \-\-dtls\-ciphers=LIST
-Set OpenSSL ciphers to support for DTLS
-.TP
-.B \-\-no\-cert\-check
-Do not require server SSL certificate to be valid. Checks will still happen
-and failures will cause a warning message, but the connection will continue
-anyway. You should not need to use this option \- if your servers have SSL
-certificates which are not signed by a trusted Certificate Authority, you can
-still add them (or your private CA) to a local file and use that file with the
-.B \-\-cafile
-option.
-
-.TP
-.B \-\-no\-dtls
-Disable DTLS
-.TP
-.B \-\-no\-http\-keepalive
-Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
-the client's SSL certificate when HTTP connections are being re\-used for
-multiple requests. So far, this has only been seen on the initial connection,
-where the server gives an HTTP/1.0 redirect response with an explicit
-.B Connection: Keep\-Alive
-directive. OpenConnect as of v2.22 has an unconditional workaround for this,
-which is never to obey that directive after an HTTP/1.0 response.
-
-However, Cisco's support team has failed to give any competent
-response to the bug report and we don't know under what other
-circumstances their bug might manifest itself. So this option exists
-to disable ALL re\-use of HTTP sessions and cause a new connection to be
-made for each request. If your server seems not to be recognising your
-certificate, try this option. If it makes a difference, please report
-this information to the
-.B openconnect\-devel at lists.infradead.org
-mailing list.
-.TP
-.B \-\-no\-passwd
-Never attempt password (or SecurID) authentication.
-.TP
-.B \-\-non\-inter
-Do not expect user input; exit if it is required.
-.TP
-.B \-\-passwd\-on\-stdin
-Read password from standard input
-.TP
-.B \-\-reconnect\-timeout
-Keep reconnect attempts until so much seconds are elapsed. The default
-timeout is 300 seconds, which means that openconnect can recover
-VPN connection after a temporary network down time of 300 seconds.
-.TP
-.B \-\-servercert=SHA1
-Accept server's SSL certificate only if its fingerprint matches
-.IR SHA1 .
-.TP
-.B \-\-useragent=STRING
-Use
-.I STRING
-as 'User\-Agent:' field value in HTTP header.
-(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
-
-.SH LIMITATIONS
-Note that although IPv6 has been tested on all platforms on which
-.B openconnect
-is known to run, it depends on a suitable
-.B vpnc\-script
-to configure the network. The standard
-.B vpnc\-script
-shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
-.B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
-will be required.
-
-.SH AUTHORS
-David Woodhouse <dwmw2 at infradead.org>
diff --git a/openconnect.8.in b/openconnect.8.in
new file mode 100644
index 0000000..97b183e
--- /dev/null
+++ b/openconnect.8.in
@@ -0,0 +1,323 @@
+.TH OPENCONNECT 8
+.SH NAME
+openconnect \- Connect to Cisco AnyConnect VPN
+.SH SYNOPSIS
+.SY openconnect
+.OP \-\-config configfile
+.OP \-b,\-\-background
+.OP \-\-pid\-file pidfile
+.OP \-c,\-\-certificate cert
+.OP \-e,\-\-cert\-expire\-warning days
+.OP \-k,\-\-sslkey key
+.OP \-K,\-\-key\-type type
+.OP \-C,\-\-cookie cookie
+.OP \-\-cookie\-on\-stdin
+.OP \-d,\-\-deflate
+.OP \-D,\-\-no\-deflate
+.OP \-\-force\-dpd interval
+.OP \-g,\-\-usergroup group
+.OP \-h,\-\-help
+.OP \-i,\-\-interface ifname
+.OP \-l,\-\-syslog
+.OP \-U,\-\-setuid user
+.OP \-\-csd\-user user
+.OP \-m,\-\-mtu mtu
+.OP \-p,\-\-key\-password pass
+.OP \-P,\-\-proxy proxyurl
+.OP \-\-no\-proxy
+.OP \-\-libproxy
+.OP \-\-key\-password\-from\-fsid
+.OP \-\-key\-type type
+.OP \-q,\-\-quiet
+.OP \-Q,\-\-queue\-len len
+.OP \-s,\-\-script vpnc\-script
+.OP \-S,\-\-script\-tun
+.OP \-u,\-\-user name
+.OP \-V,\-\-version
+.OP \-v,\-\-verbose
+.OP \-x,\-\-xmlconfig config
+.OP \-\-authgroup group
+.OP \-\-cookieonly
+.OP \-\-printcookie
+.OP \-\-cafile file
+.OP \-\-disable\-ipv6
+.OP \-\-dtls\-ciphers list
+.OP \-\-no\-cert\-check
+.OP \-\-no\-dtls
+.OP \-\-no\-http\-keepalive
+.OP \-\-no\-passwd
+.OP \-\-non\-inter
+.OP \-\-passwd\-on\-stdin
+.OP \-\-reconnect\-timeout
+.OP \-\-servercert sha1
+.OP \-\-useragent string
+.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
+.YS
+
+.SH DESCRIPTION
+The program
+.B openconnect
+connects to Cisco "AnyConnect" VPN servers, which use standard TLS
+and DTLS protocols for data transport.
+
+The connection happens in two phases. First there is a simple HTTPS
+connection over which the user authenticates somehow \- by using a
+certificate, or password or SecurID, etc.  Having authenticated, the
+user is rewarded with an HTTP cookie which can be used to make the
+real VPN connection.
+
+The second phase uses that cookie in an HTTPS
+.I CONNECT
+request, and data packets can be passed over the resulting
+connection. In auxiliary headers exchanged with the
+.I CONNECT
+request, a Session\-ID and Master Secret for a DTLS connection are also
+exchanged, which allows data transport over UDP to occur.
+
+
+.SH OPTIONS
+.TP
+.B \-\-config=CONFIGFILE
+Read further options from
+.I CONFIGFILE
+before continuing to process options from the command line. The file
+should contain long-format options as would be accepted on the command line,
+but without the two leading \-\- dashes. Empty lines, or lines where the
+first non-space character is a # character, are ignored.
+
+Any option except the
+.B config
+option may be specified in the file.
+.TP
+.B \-b,\-\-background
+Continue in background after startup
+.TP
+.B \-\-pid\-file=PIDFILE
+Save the pid to
+.I PIDFILE
+when backgrounding
+.TP
+.B \-c,\-\-certificate=CERT
+Use SSL client certificate
+.I CERT
+.TP
+.B \-e,\-\-cert\-expire\-warning=DAYS
+Give a warning when SSL client certificate has
+.I DAYS
+left before expiry
+.TP
+.B \-k,\-\-sslkey=KEY
+Use SSL private key file
+.I KEY
+.TP
+.B \-C,\-\-cookie=COOKIE
+Use WebVPN cookie
+.I COOKIE
+.TP
+.B \-\-cookie\-on\-stdin
+Read cookie from standard input
+.TP
+.B \-d,\-\-deflate
+Enable compression (default)
+.TP
+.B \-D,\-\-no\-deflate
+Disable compression
+.TP
+.B \-\-force\-dpd=INTERVAL
+Use
+.I INTERVAL
+as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
+.TP
+.B \-g,\-\-usergroup=GROUP
+Use
+.I GROUP
+as login UserGroup
+.TP
+.B \-h,\-\-help
+Display help text
+.TP
+.B \-i,\-\-interface=IFNAME
+Use
+.I IFNAME
+for tunnel interface
+.TP
+.B \-l,\-\-syslog
+Use syslog for progress messages
+.TP
+.B \-U,\-\-setuid=USER
+Drop privileges after connecting, to become user
+.I USER
+.TP
+.B \-\-csd\-user=USER
+Drop privileges during CSD (Cisco Secure Desktop) script execution.
+.TP
+.B \-\-csd\-wrapper=SCRIPT
+Run
+.I SCRIPT
+instead of the CSD (Cisco Secure Desktop) script.
+.TP
+.B \-m,\-\-mtu=MTU
+Request
+.I MTU
+from server
+.TP
+.B \-p,\-\-key\-password=PASS
+Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
+.TP
+.B \-P,\-\-proxy=PROXYURL
+Use HTTP or SOCKS proxy for connection
+.TP
+.B \-\-no\-proxy
+Disable use of proxy
+.TP
+.B \-\-libproxy
+Use libproxy to configure proxy automatically (when built with libproxy support)
+.TP
+.B \-\-key\-password\-from\-fsid
+Passphrase for certificate file is automatically generated from the
+.I fsid
+of the file system on which it is stored. The
+.I fsid
+is obtained from the 
+.BR statvfs (2)
+or
+.BR statfs (2)
+system call, depending on the operating system. On a Linux or similar system
+with GNU coreutils, the
+.I fsid
+used by this option should be equal to the output of the command:
+.EX
+stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
+.EE
+It is not the same as the 128\-bit UUID of the file system.
+.TP
+.B \-\-key\-type=TYPE
+Type of private key file (PKCS#12, TPM or PEM)
+.TP
+.B \-q,\-\-quiet
+Less output
+.TP
+.B \-Q,\-\-queue\-len=LEN
+Set packet queue limit to
+.I LEN
+pkts
+.TP
+.B \-s,\-\-script=SCRIPT
+Invoke
+.I SCRIPT
+to configure the network after connection. Without this, routing and name
+service are unlikely to work correctly. The script is expected to be
+compatible with the
+.B vpnc\-script
+which is shipped with the "vpnc" VPN client. See
+.I http://www.infradead.org/openconnect/vpnc-script.html
+for more information. This version of OpenConnect is configured to use
+.B @DEFAULT_VPNCSCRIPT@
+by default.
+.TP
+.B \-S,\-\-script\-tun
+Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
+tun/tap device. This allows the VPN IP traffic to be handled entirely in
+userspace, for example by a program which uses lwIP to provide SOCKS access
+into the VPN.
+.TP
+.B \-u,\-\-user=NAME
+Set login username to
+.I NAME
+.TP
+.B \-V,\-\-version
+Report version number
+.TP
+.B \-v,\-\-verbose
+More output
+.TP
+.B \-x,\-\-xmlconfig=CONFIG
+XML config file
+.TP
+.B \-\-authgroup=GROUP
+Choose authentication login selection
+.TP
+.B \-\-cookieonly
+Fetch webvpn cookie only; don't connect
+.TP
+.B \-\-printcookie
+Print webvpn cookie before connecting
+.TP
+.B \-\-cafile=FILE
+Cert file for server verification
+.TP
+.B \-\-disable\-ipv6
+Do not advertise IPv6 capability to server
+.TP
+.B \-\-dtls\-ciphers=LIST
+Set OpenSSL ciphers to support for DTLS
+.TP
+.B \-\-no\-cert\-check
+Do not require server SSL certificate to be valid. Checks will still happen
+and failures will cause a warning message, but the connection will continue
+anyway. You should not need to use this option \- if your servers have SSL
+certificates which are not signed by a trusted Certificate Authority, you can
+still add them (or your private CA) to a local file and use that file with the
+.B \-\-cafile
+option.
+
+.TP
+.B \-\-no\-dtls
+Disable DTLS
+.TP
+.B \-\-no\-http\-keepalive
+Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
+the client's SSL certificate when HTTP connections are being re\-used for
+multiple requests. So far, this has only been seen on the initial connection,
+where the server gives an HTTP/1.0 redirect response with an explicit
+.B Connection: Keep\-Alive
+directive. OpenConnect as of v2.22 has an unconditional workaround for this,
+which is never to obey that directive after an HTTP/1.0 response.
+
+However, Cisco's support team has failed to give any competent
+response to the bug report and we don't know under what other
+circumstances their bug might manifest itself. So this option exists
+to disable ALL re\-use of HTTP sessions and cause a new connection to be
+made for each request. If your server seems not to be recognising your
+certificate, try this option. If it makes a difference, please report
+this information to the
+.B openconnect\-devel at lists.infradead.org
+mailing list.
+.TP
+.B \-\-no\-passwd
+Never attempt password (or SecurID) authentication.
+.TP
+.B \-\-non\-inter
+Do not expect user input; exit if it is required.
+.TP
+.B \-\-passwd\-on\-stdin
+Read password from standard input
+.TP
+.B \-\-reconnect\-timeout
+Keep reconnect attempts until so much seconds are elapsed. The default
+timeout is 300 seconds, which means that openconnect can recover
+VPN connection after a temporary network down time of 300 seconds.
+.TP
+.B \-\-servercert=SHA1
+Accept server's SSL certificate only if its fingerprint matches
+.IR SHA1 .
+.TP
+.B \-\-useragent=STRING
+Use
+.I STRING
+as 'User\-Agent:' field value in HTTP header.
+(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
+
+.SH LIMITATIONS
+Note that although IPv6 has been tested on all platforms on which
+.B openconnect
+is known to run, it depends on a suitable
+.B vpnc\-script
+to configure the network. The standard
+.B vpnc\-script
+shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
+.B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
+will be required.
+
+.SH AUTHORS
+David Woodhouse <dwmw2 at infradead.org>
-- 
1.7.10



More information about the openconnect-devel mailing list